Legal and contractual obligations
Design your program to be compliant with all relevant national and/or local laws and regulations.
Ensure appropriate language that clearly establishes your respective roles and responsibilities for security and privacy is included in all contracts / MOUs / agreements between your organisation and any software and/or service providers.
This includes contracts/agreements with third-party service providers, who may have integrations with the solution implemented for you (e.g. SMS providers, email providers).
Such contracts/agreements should also be put in place with other government agencies, where any PII is sought to be shared with them unless they are already explicitly covered by existing laws and regulations.
Enforce these obligations, by requiring implementing agencies/support agencies/third parties/any entity being provided access to data under such contract or agreement to demonstrate compliance.
Purpose limitation and data minimisation
Identify the purpose for which a given data point is being collected, processed, and/or shared.
Ensure that the purpose is part of the mandate of your organisation, and/or that the legal basis for that purpose is established.
Do not collect data for which there is not a clear and legally defined purpose.
Define a role-access framework, wherein only roles that have a clear and legally defined purpose for access to a given data point can access it.
Notice and/or Consent
Publish a privacy policy for your organisation, which explains the purpose for collection/use/sharing of data, and which roles have access to which data.
At each point of data collection, provide clear notice to the data principal about the purpose of data collection, with links to the privacy policy for additional details.
In cases where PII is sought to be shared or used in ways not covered in the notice provided at data collection, seek and record the consent of the data principal for such additional sharing or use.
When sharing data with other entities, ensure that such entities have suitable security and privacy policies in place before such sharing.
Secure operations
To ensure security and privacy are maintained in practice, develop standard operating procedures and guidelines for all personnel to follow.
Train all personnel on your organisation’s privacy policy, standard operating procedures, and guidelines.
In particular, train personnel on the importance of login credentials/passwords, and why these must not be shared with anyone. To reduce the administrative load on personnel, explore the use of single sign-on (SSO) or similar technologies.
Establish processes to change passwords when individuals move out of a given role, or leave your organisation.
Review audit logs periodically to identify who has accessed data; use this information to periodically verify or revise role-access mapping.